Bug 197079

Summary: Crash in FrameLoader::stopAllLoaders via [WebView dealloc] inside ~ObjCEventListener
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: WebKit APIAssignee: Ryosuke Niwa <rniwa>
Status: RESOLVED FIXED    
Severity: Normal CC: achristensen, beidson, cdumez, darin, ggaren, mitz
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=197712
Attachments:
Description Flags
Fixes the bug
none
Fixes the bug darin: review+

Ryosuke Niwa
Reported 2019-04-18 15:48:21 PDT
Some WebKit clients crash in FrameLoader::stopAllLoaders via [WebView dealloc] inside ~ObjCEventListener while deleting event targets. <rdar://problem/40888424>
Attachments
Fixes the bug (6.13 KB, patch)
2019-04-18 16:02 PDT, Ryosuke Niwa 		no flags
DetailsFormatted DiffDiff
Fixes the bug (9.74 KB, patch)
2019-04-18 16:03 PDT, Ryosuke Niwa 		darin: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Ryosuke Niwa
Comment 1 2019-04-18 16:02:31 PDT
Created attachment 367769 [details] Fixes the bug
Ryosuke Niwa
Comment 2 2019-04-18 16:03:48 PDT
Created attachment 367770 [details] Fixes the bug
Darin Adler
Comment 3 2019-04-19 09:59:58 PDT
Comment on attachment 367770 [details] Fixes the bug View in context: https://bugs.webkit.org/attachment.cgi?id=367770&action=review > Source/WebKitLegacy/mac/DOM/ObjCEventListener.mm:75 > + // Avoid executing arbitrary code during GC; e.g. inside Node::~Node. > + [m_listener.get() retain]; > + [m_listener.get() autorelease]; Some day we will move to ARC. To be prepared for when we do, it will be much more future-proof to use CFRetain and CFAutorelease, which can be used for this purpose even under ARC. I suggest doing that. CFRetain((__bridge CFTypeRef)m_listener.get()); CFAutorelease((__bridge CFTypeRef)m_listener.get()); To make it cleaner, if this idiom comes up more often, we could add a RetainPtr member function designed for this purpose. Unfortunately, the current RetainPtr::autorelease is not what we want because it compiles to a bridging release under ARC, not an autorelease.
Ryosuke Niwa
Comment 4 2019-04-19 11:46:51 PDT
(In reply to Darin Adler from comment #3) > Comment on attachment 367770 [details] > Fixes the bug > > View in context: > https://bugs.webkit.org/attachment.cgi?id=367770&action=review > > > Source/WebKitLegacy/mac/DOM/ObjCEventListener.mm:75 > > + // Avoid executing arbitrary code during GC; e.g. inside Node::~Node. > > + [m_listener.get() retain]; > > + [m_listener.get() autorelease]; > > Some day we will move to ARC. To be prepared for when we do, it will be much > more future-proof to use CFRetain and CFAutorelease, which can be used for > this purpose even under ARC. I suggest doing that. > > CFRetain((__bridge CFTypeRef)m_listener.get()); > CFAutorelease((__bridge CFTypeRef)m_listener.get()); > > To make it cleaner, if this idiom comes up more often, we could add a > RetainPtr member function designed for this purpose. Unfortunately, the > current RetainPtr::autorelease is not what we want because it compiles to a > bridging release under ARC, not an autorelease. Okay, sure, I'll use CF*.
Ryosuke Niwa
Comment 5 2019-04-19 12:01:40 PDT
Committed r244459: <https://trac.webkit.org/changeset/244459>
Note You need to log in before you can comment on or make changes to this bug.